CEHv8 Module 07 Viruses and Worms.pdf
-
Upload
mehrdad-jingoism -
Category
Documents
-
view
228 -
download
2
Transcript of CEHv8 Module 07 Viruses and Worms.pdf
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
1/106
Viruses and Worms
Module 07
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
2/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
V iruses and Worms
M o d u l e 0 7
Engineered by Hackers. Presented by Professionals.
M
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u l e 0 7 : V ir u s e s a n d W o r m s
E x a m 3 1 2 - 5 0
Mo dule 07 Page 1007 Ethical Hacking and Coun termea sures Copyright by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
3/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
CEHSecurity New s
I GlobalResearch
H ome P roduc t s A bou t 5rv*ccs Octo ber 19, 201 2
Globa l Cyber -War fa re Tac t i c s : New F lame- l inked
M a l w a re u s e d i n C y b e r -Es p i o n a g e
A new cyb er espionage program l inked to the noto r ious Flame and Gauss m alware has been detecte d by Russia 's Kaspersky Lab.
The anti -vi rus g iant 's ch ief warns that g lobal cyber w ar fare is in "fu l l s wing " and w i l l probably escalate in 2013.
The virus, dubbed m in iFlame, and a lso know n as SPE, has a lready in fec ted com puters in Iran, Lebanon, France, the U nited
States and L i thuania. I t was d iscovered in Ju ly 2012 and is descr ibed as "a s mall and highly flexible malicious program designed
to steal data and control infecte d systems during target ed cyber espionage operations," Kaspersky Lab said in a statem ent po sted
on i ts we bs i te .
The malw are was or ig ina l ly identi f ied as an appendage of Flame - the program used for targeted cyber espionage in the M iddle
East and acknow ledged to be par t o f jo in t US - lsrael i e ffor ts to underm ine Iran 's nuclear program.
But la ter , Kaspersky Lab analysts d iscovered tha t min iFlam e is an "interoperable tool that could be used as an independent
malicious program , o r concurrently as a plug-in fo r both th e Flame and Gauss malw are."
^ ^ ^ ^ T h e a n a l y s i s a l so s ho w e d n e w e vi de nc e o f c o o p e ra t io n b et w e e n t h e c r ea t or s o f F la me a n d G a u s s ^ ^ ^ ^ ^
ht tp ://w ww. globa/research, ca
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibit ed.
S e c u r i ty N e w s
an M M G l o b a l C y b e r - W a r f a r e T a c t i c s : N e w F l a m e - l i n k e dM a l w a r e u s e d i n C y b e r - E s p i o n a g e
Source: h t t p : / / w w w . g l o b a l r e s e a r c h . c a
A new cyber esp ionage p rogram l i nked to the no to r ious F lame and Gauss ma lware has been
de tec te d by Russia' s Kaspersky Lab . The an t i v i rus g ian t ' s ch ie f warns tha t g loba l cyber w ar fa re
is in " fu l l swing" and probably escala te in 2013.
The v i rus, dubbed min iFlame, and a lso known as SPE, has a l ready in fected computers in I ran,
Lebanon, France, the Uni ted States, and L i thuania. I t was d iscovered in Ju ly 2012 and is
descr ibed as "a smal l and h igh ly f lex ib le mal ic ious program designed to stea l data and contro l
i n fec ted sys tems dur ing ta rge ted cyber esp ionage opera t ions , " Kaspersky Lab sa id i n as ta tement pos ted on i t s webs i te .
The ma lware was o r ig ina l l y i den t i f i ed as an appendage o f F lame, the p rogram used fo r
ta rge te d cy ber esp ionage in the Mid d le Eas t and ackno wledged to be pa r t o f j o in t US- l srael i
e f f o r t s t o u n d e r m i n e I r a n' s n u c l e a r p r o g r a m .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1008
http://www.globalresearch.ca/http://www.globalresearch.ca/ -
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
4/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
But l a te r , Kaspersky Lab ana lys ts d i scovered tha t m in iF lam e is an " in te r ope rab le to o l th a t cou ld
be used as an independen t ma l i c ious p rogram, o r concur ren t l y as a p lug - in fo r bo th the F lame
and Gauss m a lwa re . "
The ana lys i s a l so showed new ev idence o f coopera t ion be tween the c rea to rs o f F lame and
Gauss, as both v i ruses can use min iFlame for the i r operat ions.
"M in iF lam e's ab i l i ty to be used as a p lug- in by e i th er Flame or Gauss c lear ly conn ects the
co l labora t ion be twe en the d eve lopm ent teams o f bo th F lame and Gauss . S ince the conn ect ion
be tween F lame and S tuxne t /Duqu has a l ready been revea led , i t can be conc luded tha t a l l these
advanced th rea ts come f rom the same ' cyber war fa re ' fac to ry , " Kaspersky Lab sa id .
H i g h - p r e c i s i o n a t t a c k t o o l
So fa r j us t 50 to 60 cases o f i n fec t ion have been de tec ted w or ldw ide , accord ing to Kaspersky
Lab. But un l ike Flame and Gauss, min iFlam e in mea nt for insta l la t io n on ma chines a l ready
in fec ted by those v i ruses .
"M in iF lam e is a h igh -p rec is ion a t tack too l . M ost l i ke l y i t is a ta rge te d cy ber wea pon used inw ha t can be de f ined as the second wave o f a cyber a t tac k , " Kaspersky' s Ch ie f Secur i ty Exper t
A lexande r Gostev exp la ined .
"Fi rst , F lame or Gauss are used to in fe ct as ma ny v ict im s as possib le to co l lect large quan t i t ies
o f i n fo rmat ion . A f te r da ta i s co l l ec ted and rev iewed , a po ten t ia l l y i n te res t ing v i c t im i s de f ined
and iden t i f i ed , and min iF lame i s i ns ta ll ed in o rde r to co nduc t mo re in -dep th su rve i l l ance and
cyber -esp ionage . "
The newly -d i scove red m a lwa re can a lso take screensho ts o f an in fec te d co m pu te r wh i le i t is
runn ing a spec i f i c p rog ram o r app l i ca t ion in such as a web b rowser , M ic roso f t O f f i ce p rog ram,
Adobe Reader , instant messenger serv ice or FTP cl ient .
Kaspersky Lab be l ieves min iF lame 's deve lopers have p robab ly c rea ted dozens o f d i f fe ren t
mo d i f ica t i o n s o f t h e p r o g r a m. "A t t h is t i me , w e h a ve o n l y f o u n d s ix o f th e se , d a te d 2 0 1 0 - 2 0 1 1 , "
the f i rm said.
C y b e r w a r f a r e i n f u l l s w i n g
Meanwh i le , Kaspersky Lab 's co - founder and CEO Eugene Kaspersky warned tha t g loba l cyber
war fa re tac t i cs a re becoming more soph is t i ca ted wh i le a l so becoming more th rea ten ing . He
u r g e d g o ve r n me n ts t o wo r k t o g e th e r t o f i g h t cyb e r wa r fa r e a n d cyb e r - t e r r o r i sm , X i n h u a n e ws
agency repor ts .
Speak ing a t an In te rna t iona l Te leco mm un ica t ion U n ion Te lecom W or ld con fe ren ce in Duba i,
the an t i v i rus tycoon sa id , "cyb er w ar fa re is i n fu l l sw ing and we expe ct i t to esca la te in 2013 . "
"The la test mal ic ious v i rus a t tack on the wor ld 's largest o i l and gas company, Saudi Aramco, last
A u g u s t sh o ws h o w d e p e n d e n t we a r e t o d a y o n t h e I n te r n e t a n d i n fo r ma t i o n t e ch n o l o g y i n
genera l , and how vu lne ra b le w e a re , " Kaspersky said.
He s topped shor t o f b laming any pa r t i cu la r p laye r beh ind the mass ive cyber -a t tacks across the
M idd le East, po in t i ng ou t tha t " ou r j ob i s no t to i de n t i t y hackers o r cybe r - te r ro r i s ts . Our f i rm is
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1009
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
5/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
l i ke an X- ray mach ine , mean ing we can scan and iden t i f y a p rob lem, bu t we canno t say who o r
wha t i s beh ind i t . "
I ran , who con f i rmed tha t i t su f fe red an a t tack by F lame ma lware tha t caused severe da ta loss ,
b lames the Un i ted S ta tes and Is rael fo r un leash ing the cyber -a t tacks .
C o p y r i g h t 2 0 0 5 - 2 0 1 2 G l o b a lR e s e a r c h . c a
B y R u s s ia T o d a y
http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-in-
cyber-espionage/5308867
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1010
http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-in-http://www.globalresearch.ca/global-cyber-warfare-tactics-new-flame-linked-malware-used-in- -
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
6/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
M odule Ob jectives CEH
J Computer Worms
J Worm Analysis
J Worm Maker
J Ma lwa re Analysis Procedure
J Online Malware Analysis Services
J Virus and Worms Countermeasures
J Antivirus Tools
J Penetration Testing for Virus
J Introduction to Viruses
J Stages of Virus Life
J Working of Viruses
J Indications of Virus Attack
J How does a ComputerGet Infected
by Viruses
y Virus Analysis
J Types of Viruses
J Virus Maker
Copyright by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibit ed.
M o d u l e O b j e c ti v e s
The ob jec t i ve o f th i s m odu le is to expose you to the va r ious v iruses and worm sava i lab le today . I t g i ves you in fo rm at io n abo u t a ll the ava i lab le v i ruses and worm s. Th is mo du le
examines the wo rk ings o f a co m pu te r v i rus , i ts func t ion , c lass i f ica t ion , and the m anne r i n wh ich
i t a f fec ts sys tems. Th is modu le w i l l go in to de ta i l abou t the va r ious coun te rmeasures ava i lab le
to p ro te c t aga ins t these v i rus in fec tions . The ma in ob jec t i ve o f th is m odu le is to edu ca te you
abo u t the ava i lab le v i ruses and worm s, i nd ica t ions o f the i r a t tack and the ways to p ro te c t
aga ins t va r ious v i ruses , and tes t ing your sys tem o r ne twork aga ins t v i ruses o r worms p resence .
Th is modu le w i l l fami l i a r i ze you w i th :
0 C o m p u t e r W o r m s
0 W o r m A n al ysi s
0 W o r m M a k er
0 Ma lwar e Ana lys i s P rocedure
0 Onl ine M alw are Analysis Services
0 V i ru s a nd Wo r ms
Co u n te r me a su r e s
0 An t i v i rus Too ls
Ethical H ac kif ^ a n P ^ f i t F i S t i a n e T e ^ Q g t f e f y V i F W f i ll C i l
All Rights Reserved. Reproduction is Strictly Prohibited.
0 In t rod uc t ion to V i ruses
0 Stages of Virus Li fe
0 W o r k i n g o f V ir u se s
0 Ind ica t ions o f V i rus A t tack
0 How Does a Co mp ute r Ge t In fec ted by
Viruses?
0 Vi rus Analysis
0 Types of V i ruses
Modute07 !M aker
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
7/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Types ofViruses
Virus andWorms
Concepts
ComputerWorms
Penetrat ionTesting
MalwareAnalysis
Counter-measures
Copyright by E&Ctlllcil.All Rights Reserved. Reproduction is Strictly Prohibit ed.
Module Flow
M o d u l e F lo w
Th is sec t ion in t roduces y ou to va r ious v iruses and w orm s ava i lab le toda y and g ives youa b r ie f ove rv iew o f each v i rus and s ta t i s t i cs o f v iruses and wo rm s in the recen t years. I t l is ts
va r ious types o f v i ruses and th e i r e f fec ts on y our sys tem. The w ork ing o f v i ruses in each phase
has w i l l be d i scussed in de ta i l . The techn iques used by the a t tacker to d i s t r i bu te ma lware on
the web a re h igh l i gh ted .
V i ru s a n d W o r m s C o n c ep t Malware Analysis
Types of Viruses,f|j||Countermeasures
/ Computer WormsV
^ Penetration Testing
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1012
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
8/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
C EHIntroduction to V iru se s
_l A virus is a self-replicating program that produces its own copy by attaching itself
to another program, computer boot sector or document
J Viruses are generally transmitted through file downloads, infected disk/flash
drives and as email attachments
V i r u s C h a r a c t e r i s t i c s
Alters DataV%
Corrupts Files and
Programs %#
Self Propagates1 f 1m
Infects Other Program
m
Transforms Itself
F * Encrypts Itself
Copyright by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibit ed.
I n t r o d u c t i o n to V i ru s e sCo m pu te r v iruses have the po ten t ia l to wre ak h avoc on bo th bus iness and persona l
com pute rs . W or ldw ide , mo st bus inesses have been in fec ted a t some po in t . A v i rus is a se lf -
rep l i ca t ing p rog ram tha t p roduces i t s own code by a t tach ing cop ies o f i t i n to o the r execu tab le
codes. Th is v i rus opera tes w i th ou t the kno wle dge or desi re o f the user . L ike a rea l v i rus, a
co m pu te r v i rus is con tag ious and can con tam ina te o the r f i les . Howev er , v iruses can in fec t
ou ts ide mach ines on ly w i th the ass is tance o f compute r use rs . Some v i ruses a f fec t compute rs as
soon as the i r code i s execu ted ; o the r v i ruses l i e do rmant un t i l a p re -de te rmined log ica l
c i r cumstance is me t . There a re th ree ca tegor ies o f ma l i c ious p rogram s:
0 Tro jans and roo tk i ts
0 V i ruses
0 W o r m s
A w orm is a ma l i c ious p rogram th a t can in fec t bo th loca l and rem ote mach ines . W orm s sp read
au tom at i ca l l y by in fec t ing sys tem a f te r sys tem in a ne tw ork , and even sp read ing fu r the r to
o the r ne tworks . There fo re , worms have a g rea te r po ten t ia l fo r caus ing damage because they
do no t re l y on the user ' s ac t ions fo r execu t ion . There a re a l so ma l i c ious p rograms in the w i ld
th a t co n ta i n a ll o f t h e f e a tu r e s o f t h e se t h r e e ma l ic i o u s p r o g ra ms .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1013
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
9/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Virus and Worm Statistics
2010 2011 2012
http://www. av-test. org
Copyright by E&Ctinctl.All Rights Reserved. Reproduction is Strictl y Prohibited.
2008
75,000,000
60,000,000
45,000,000
30,000,000
15,000,000
^ V i r u s a n d W o r m S t a ti s ti c s
Source: h t t p : / / w w w . a v - t e s t . o r g
Th is g raph ica l rep resen ta t ion g i ves de ta i l ed in f o rm at ion o f the a t tacks tha t have occur red in
the recen t years . Accord ing to the g raph , on ly 1 1 ,666 , 667 sys tems were a f fec ted by v iruses and
worms in the year 2008 , whereas in the year 2012 , the coun t d ras t i ca l l y i nc reased to
70 ,000 ,000 sys tems, wh ich means tha t the g rowth o f ma lware a t tacks on sys tems i s i nc reas ing
expo nen t ia l l y year by year .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1014
http://www/http://www.av-test.org/http://www.av-test.org/http://www/ -
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
10/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
75 .000 .000
60 .000 .000
45 .000 .000
30 .000 .000
15.000.000
0
2008 2009 2010 2011 2012
FIGURE 7.1: Virus and Worm Statistics
Mo dule 07 Page 1015 Ethical Hacking and Coun termea sures Copyright by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
11/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Launch
It gets activated with
the user per forming
certain actions such
as running an
infected program
Repl icat ion
Virus replicates for
a period of t ime
with in the target
system and then
spreads itself
Design
Developing virus
code using
programming
languages or
construction kits
Detect ion
A virus is identi f ied
as threat in fect ing
target systems
Incorporat ion
Ant iv ir us so f twa re
developers
assimi la te defenses
against the virus
El iminat ion
Users install
ant ivi rus updates
and e l iminate the
virus threats
S t a g e s o f V i r u s L i fe
Co m pute r v i rus a ttacks sp read th roug h va r ious s tages f rom incep t ion to des ign toe l i m i n a t i o n .
1. Design:
A v irus code i s deve loped by us ing p rog ram m ing languages o r cons t ruc t ion k its. Anyone
w i th b as ic p r o g r a m m i n g kn o w l e d g e can c r e a te a v ir us .
2. Replication:
A v irus f i r s t rep l ica tes i t se l f w i th in a ta rg e t sys tem over a pe r iod o f t ime .
3. Launch:
I t i s ac t i va ted when a user pe r fo rms ce r ta in ac t ions such as t r i gger ing o r runn ing anin fec ted p rogram.
4. Detection:
A vi rus is ident i f ied as a threat in fect ing target systems. I ts act ions cause considerab le
d a ma g e to t h e t a r g e t sys te m ' s d ata .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1016
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
12/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
5. Incorporation:
Ant i v i rus so f tware deve lopers assemb le de fenses aga ins t the v i rus .
6. Elimination:
Users a re adv ised to i ns ta l l an t i v i rus so f tware upda tes , thus c rea t ing awareness among
user groups
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1017
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
13/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Working of Viruses: InfectionPhase
J In the infection phase, the virus repl icates itself
and attaches to an .exe file in the system
InfectionPhase
After Infect ionBefore Infect ion
*Vi rus In fec ted
File
Clean File
Copyright by EG-G0llicil.All Rights Reserved. Reproduction is Strictly Prohibit ed.
W o r k i n g o f V i ru s e s : I n f e c t i o n P h a s e
Vi ruses a t tack a ta rge t hos t ' s sys tem by us ing va r ious methods. They a t tachth e mse l ve s t o p r o g r a ms a n d t r a n sm i t t h e mse l ve s t o o th e r p r o g r a ms b y ma k i n g u se o f ce r ta i n
events. V i ruses need such events to take p lace s ince they cannot :
Self sta rt
I n fe c t o th e r h a r d wa r e
Cause physica l dam age to a co m pu ter
Trans mi t thems e lves us ing non -exe cu ta b le f il es
Genera l l y v i ruses have tw o phases, the in fec t ion phase and the a t tac k phase .
In the in fec t ion phase , the v i rus rep l i ca tes i t se l f and a t taches to an .exe f il e i n the sys tem.
Programs mod i f i ed by a v i rus in fec t ion can enab le v i rus func t iona l i t i es to run on tha t sys tem.
Vi ruses get enabled as soon as the in fected program is executed, s ince the program code leads
to the v i rus code. V i rus wr i te rs have to ma in ta in a ba lance among fac to rs such as:
How wi l l the v i rus in fec t?
How wi l l i t spread?
Ho w w i ll it r e si de in a t a r g e t co m p u te r ' s me m o r y w i t h o u t b ei ng d e te c te d ?
Mo dule 07 Page 1018 Ethical Hacking and Coun termea sures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
14/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Obvious ly , v i ruses have to be t r i ggere d and exec u ted in o rd e r to func t ion . There a re many ways
to execu te p rog rams wh i le a compute r i s runn ing . Fo r examp le , any se tup p rogram ca l l s fo r
n u m e r o u s p r o g r a ms th a t m a y b e b u i l t i n t o a sys te m, a n d so me o f t h e se a re d i s t r i b u t i o n
m ed ium p rograms. Thus, i f a v i rus p rog ram a l ready exis ts , i t can be ac t i va ted w i th th i s k ind o f
execu t ion and in fec t the add i t i ona l se tup p rogram as we l l .
There a re v i rus p rog rams tha t i n fec t and keep sp read ing every t im e they a re execu ted . Some
program s do no t i n fec t the p rograms whe n f i r s t execu ted . They reside in a com pute r ' s m em ory
and in fect programs at a la ter t ime. Such v i rus programs as TSR wai t for a speci f ied t r igger
even t to sp read a t a l a te r s tage . I t i s , the re fo re , d i f f i cu l t to recogn ize wh ich even t migh t t r i gger
th e e xe cu t io n o f a d o r m a n t v i r u s i n fe c ti o n .
Re fe r to the f i gu re th a t fo l l ow s to see ho w the EXE f i le i n fec t ion works .
In the fo l l ow ing f i gu re , the .EXE f i l e ' s header , when t r i ggered , execu tes and s ta r ts runn ing the
app l i ca t ion . Once th i s f i l e i s i n fec ted , any t r i gger even t f rom the f i l e ' s header can ac t i va te the
vi rus code too, a long wi th the appl icat ion program as soon as i t is run.
Q A f i l e v i rus in fec ts by a t tach ing i t se l f to an execu tab le sys tem app l i ca t ion p ro gram. Tex t
f i les such as source code, batch f i les, scr ip t f i les, e tc. , are considered potent ia l targets
fo r v i rus in fec t ions .
Boot sector v i ruses execute th e i r ow n code in the f i rs t p lace before the tar ge t PC is
b o o te d
Before In fec t i on A f te r I n fec t i on
N.exe
_uVirus Infected
File
FIGURE 7.2: Working of Viruses in Infection Phase
Clean File
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1019
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
15/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Working of Viruses: Attack r cuD U o q p V t 11
^ ^ UrtfW< ttkxjl NmIm
J Viruses are programmed with trigger events to activate and corrupt systems
J Some viruses infect each time they are run and others infect only when a certain
predefined condition is met such as a user's specific task, a day, time, or a
particular event
Unf ragmented File Before Att ack
File: A File: B
Page: 11
Page:2J _____________1
Page:3
1
Page: 1
1 1
Page:2 Page:3
A A
File Fragmented Due to Virus Att ack
Page: 1 Page:3 Page: 1 Page:3 Page:2 Page:2File: A File: B File: B File: A File: B File: A
Copyright by E&Cauactl.All Rights Reserved. Reproduction is Strictly Prohibit ed.
W o r k i n g o f V i ru s e s : A t t ac k P h a s e
O n ce v i r u se s sp r e a d t h e mse l ve s t h r o u g h o u t t h e t a r g e t sys te m, t h e y s ta r t co r r u p t i n g
the f i l es and p rogra m s o f the hos t sys tem. Some v i ruses have t r i gger even ts tha t need to be
ac t i va ted to co r rup t the hos t sys tem. Some v i ruses have bugs tha t rep l i ca te themse lves , and
per fo rm ac t i v i t ies such as de le t ing f i l es and increas ing sess ion t im e .
They co r rup t the i r ta rge ts on ly a f te r sp read ing as in tended by the i r deve lopers . Most v i ruses
tha t a t tack ta rge t sys tems pe r fo rm ac t ions such as:
Q De le t ing f i les and a l te r ing c on t en t i n da ta fi les , the re by caus ing the sys tem to s low
d o w n
e Per fo rm ing tasks no t re la ted to app l i ca t ions , such as p lay ing mus ic and c rea t ing
a n i ma t i o n s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1020
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
16/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
U n f r a g m e n t e d F il e B e f o r e A t t a c k
File: A File: B
Page: 1 Page: 2 Page: 3 Page: 1 Page: 2 Page: 3
A
F i le F r a g m e n t e d D u e t o V ir u s A t t a c k
Page: 1File: A
Page: 3File: B
Page: 1File: B
Page: 3 Page: 2File: A File: B
Page: 2File: A
A A
FIGURE 7.3: Working of Viruses in Attack Phase
Refer to th is f igure, w hich has tw o f i les, A and B. In sect ion one, the t w o f i les are located one
a f te r the o the r i n an o rder l y fash ion . Once a v i rus code in fec ts the f i l e , i t a l te rs the pos i t i on ing
o f the f i les tha t we re c onse cu t i ve ly p laced , thus lead ing to i naccuracy in f i le a l l oca t ions , caus ing
the sys tem to s low do wn as users t r y to re t r i eve the i r fi l es . In th i s phase:
V i ruses execu te wh en some even ts a re t r i ggered
0 Some execu te and co r ru p t v ia bu i l t - in bug p rograms a f te r be ing s to red in the hos t ' s
m e m o r y
0 M ost vi ruses a re w r i t ten to concea l the i r p resence , a t tack ing on ly a f te r sp read ing in the
h o s t t o t h e f u l l e s t e x te n t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1021
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
17/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Why Do People Create Computer r c uViruses UrtifWd|ttkiul Km Im
Computer Viruses
V u l n e r a b l e S y s t e m
J
J
J
Inflict damage to competitors
Financial benefits
Research projects
Play prank
Vandalism
Cyber terrorism
Distribute political messages
Copyright by E&Cauactl.All Rights Reserved. Reproduction is Strictly Prohibit ed.
W h y D o P e o p l e C r e a t e C o m p u t e r V i ru s e s ?
Source: h t t p : / / w w w . s e c u r i t y d o c s . c o m
Co m pute r v i ruses are no t se lf -genera ted , bu t a re c rea ted by cyb er -c r im ina l m inds , i n ten t iona l l y
des igned to cause des t ruc t i ve occur rences in a sys tem. Genera l l y , v i ruses a re c rea ted w i th a
d is repu tab le mot i ve . Cyber -c r im ina ls c rea te v i ruses to des t roy a company 's da ta , as an ac t o f
vanda l i sm o r a p rank , o r to des t roy a com pany 's p roduc ts . Howe ver , i n some cases , v i ruses a re
ac tua l l y i n tended to be good fo r a sys tem. These a re des igned to improve a sys tem's
per fo rmance by de le t ing p rev ious ly embedded v i ruses f rom f i l es .
Some reasons v i ruses have been w r i t ten inc lude :
e In f li c t d a ma ge to co m p e t i t o r s
e Research pro jects
0 Pranks
Q Vanda l i sm
e At tack the p roduc ts o f spec i f i c compan ies
Distr ibute po l i t ica l messages
0 Financial gain
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1022
http://www.securitydocs.com/http://www.securitydocs.com/ -
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
18/106
Exam 312-50 Certified Ethical Hacker
Q Iden t i t y the f t
Q Spyware
Q Cryp tov i ra l ex to r t i on
Ethical Hacking and CountermeasuresViruses and Worm s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1023
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
19/106
Ethical Hacking and Counterm easures Exam 312-50 Certified Ethical HackerViruses and Worm s
Processes take
mo re resou rces
a n d t i m e
Co m p u t e r s l ows
d o w n w h e n
prog rams s ta r t
Compu te r f r eezes
f r e q u e n t l y o r
e n c o u n t e r s e r r o r
I n d i c a t i o n s o f V i ru s A t ta c k s
An e f fec t i ve v i rus tends to mu l t i p l y rap id l y and may in fec t a number o f mach ineswi th in th ree to f i ve days . V i ruses can in fec t Word f i l es wh ich , when t rans fe r red , can in fec t the
mach ines o f the users who rece ive them . A v i rus can a lso make good use o f f i le se rve rs i n o rde r
to i n fe c t f il es . The fo l l ow ing a re ind ica t ions o f a v i rus a t tac k on a co m pu te r sys tem:
Q Programs take longer to load
Q The hard dr ive is a lways fu l l , even wi t ho ut insta l l ing any programs
Q The f lop py d isk dr ive or hard dr ive runs wh en i t is no t be ing used
9 Unk now n f i les keep appear ing on the sys tem
0 Th e ke yb o a r d o r t h e co m p u te r e m i t s s t ra n g e o r b e e pi n g so u nd s
Q The co m pu te r m on i to r d i sp lays s t range g raph ics
Q F ile names tu rn s t range , o f ten beyon d recogn i t i on
Q The hard d r i ve becomes inaccess ib le wh en t r y ing to boo t f rom the f l op py d r i ve
A pro gram 's s ize keeps changing
Q The mem ory on the sys tem seems to be in use and the sys tem s lows dow n
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1024
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
20/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
How does a Computer GetInfected by Viruses
Whe n a user accepts files and dow nloads w ithout checking
properlyforthe source
ing infected e-mail attachm ents
Installing pirated so ftwa re
Not upda tingand not installing new versions of plug-ins
: running the latest anti-virus application
Copyright by EC-Cauactl. All Rights Reserved. Reproduction is Strictly Prohibited.
H ow D o e s a C o m p u t e r G e t I n fe c t e d b y V i ru s e s ?
There a re many ways in wh ich a com put e r ge ts in fec ted by v i ruses . The mo st po pu la rme thod s a re as fo l l ows:
W hen a user accep ts f i les and dow n load s w i th ou t checking p rope r l y fo r the source .
A t tackers usua l l y send v i rus- in fec ted f i les as ema i l a t tac hm ents to sp read the v i rus on
the v i c t im 's sys tem. I f the v i c t im opens the ma i l , the v i rus au tom at i ca l l y i n fec ts the
sys tem.
A t tackers inco rp ora te v iruses in pop u la r so f tw are p rograms and up load the in fec ted
so f twa r e o n we b s i t e s i n te n d e d t o d o wn l o a d so f twa r e . Wh e n th e v i c t i m d o wn l o a d s
in fec ted s o f tw are and ins ta ll s it , the sys tem ge ts i n fec ted .
Fa il ing to i ns tal l new ve rs ions o r upda te w i th l a tes t pa tches in tended to f ix the kn ownbugs may expose y our sys tem t o v i ruses .
W i th the increasing techno logy , a t tackers a lso are design ing new vi ruses. Fai l ing to use
la tes t an t i v i rus app l i ca t ions may expose you to v i rus a t tacks
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1025
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
21/106
Ethical Hacking and Counterm easures Exam 312-50 Certified Ethical HackerViruses and Worm s
CEHC o m m o n T e c h n i q u e s U s e d to
D i s t r i b u te M a l w a r e o n t h e W e b
Malve r t i s ing
Embedding malware in ad-networks
that display across hundreds of
legitimate, high-traffic sites
C o m p ro m i s e d L e g i t i m a te Webs i tes
Hosting embedded malware that
spreads to unsuspecting visitors
Dr ive -by Down loads
Exploiting flaws in browser
software to install malware
just by visiting a web page
Source: Security Threat Report 2012 (http://www.sophos.com)
HB l a c k h a t S e arc h E n g i n e Opt im iza t ion (SEO)Ranking malware pages highly
in search results
Soc ia l Eng inee red C l i c k - j a c k i n g
Tricking users into clicking on
innocent-looking webpages
S p e a rp h i s h i n g S i t es
Mimicking legitimate institutions, ^
such as banks, in an attempt to jl.steal account login credentials
Copyright by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibit ed.
C o m m o n T e c h n i q u e s U s ed to D i s t r ib u t e M a l w a r e o n
^ t h e W e bSource : Secur i ty Th rea t Repor t 2012 ( h t t p : / / w w w . s o p h o s . c o m )
Blackhat Search Engine Optimization (SEO): Us i n g t h i s t e ch n i q u e t h e a t t a cke r r a n ks ma l wa r e
pages high in search results
Social Engineered Click-jacking: The a t tackers t r i ck the users in to c l i ck ing on innocen t - look ing
we b p ag es t h a t co n ta i n m a l wa r e
Spearphishing Sites: Th is techn iqu e is used fo r mim ick ing leg i t ima te ins t i tu t i ons , such as banks ,
in an a t tempt to s tea l accoun t l og in c reden t ia l s
Malvertising: Embeds ma lware in ad ne tworks tha t d i sp lay across hundreds o f l eg i t ima te , h igh -
t ra f f ic s i tes
Compromised Legitimate Websites: Ho s t e mb e d d e d ma l wa r e t h a t sp r e a d s t o u n su sp e c t i n g
v is i to rs
Drive-by Downloads: The a t tacker exp lo i ts f l aws in b rows er so f tware to i nsta ll ma lw are jus t by
vis i t ing a web page
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1026
http://www.sophos.com/http://www.sophos.com/http://www.sophos.com/http://www.sophos.com/ -
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
22/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Virus Hoaxes and FakeAntiviruses
A t t a c k e r s d is g u i s e m a l wa r e s a s a n a n t i v i ru s
and t r i ck use rs to ins ta l l them in the i r
s y s t e m s
Once ins ta l led these fake an t i v i r uses can
d a m a g e t a r g e t s y s t e m s s i m i l a r t o o t h e r
m a l wa r e s
J Ho a xe s a r e f a l s e a l a r m s c l a im i n g r e p o r t s
a b o u t a n o n - e x i s t i n g v i r u s wh i c h m a y
c o n t a i n v i r u s a t t a c h m e n t s
J W a r n i n g m e s s a ge s p r o p a g a t i n g t h a t a
c e r t a in e m a i l m e s s a g e s h o u l d n o t b e v ie we d
a n d d o i n g s o w i l l d a m a g e o n e ' s s y s t e m
*** A W C
w -
if srsr*
jy y |r J!!L
l ==:
tifai*ft-F0RWAI1r)T14l'WANINflAM0Nn'RlFN0VtAMIIVANnrONTArn
ntAsc rmv/Aflo mu wa rnin g among rniCNDS.rAMiiv and contacts Ho* houMt* kt d*'*tbv mat fmv Jwy v Co ikx cptn 1yiiim with 411etMchmvH vntlltvO>OSTCAAO 'ROM Uir.O RtMONATION Of BARACK OBAMA . regjrdll0f WhOsent IttO you It ISJ vlruStlWt Opers AKttr tAftU lMAOt, then Dim* th-whole run) Ca ol YOU' computer.
rih b lIvmNHM lWdil iuumnl Uy CNN Uni Imk Hid) U1I jyMlllWA l HUM(*sif jctivtvirasawf Thevirw ...1 .discovered bv McAfee vterdiv. ndthpp14nor tearj*for :h&
1>tSeZeto Setloiof llie llodDiM., mIivictl.r viulxifoimatbonkvL
Copyright by EG-G0llicil. All Rights Reserved. Reproduction is Strictly Prohibit ed.
V i r u s H o a x e s a n d F a k e A n t iv i ru s e s
V i r u s H o a x e s
A v i rus hoax is s imply a b lu f f . V i ruses, by the i r nature, have a lways created a
hor r i f y ing impress ion . Hoaxes a re typ ica l l y un t rue sca re a le r ts tha t unscrupu lous ind iv idua ls
send to c rea te havoc . I t i s fa i r l y common fo r i nnocen t use rs to pass these p h o n ymessages
a long th ink ing they a re he lp ing o the rs avo id the "v i rus . "
Hoaxes are fa lse a larms c la im ing repor ts abou t non -exist ing v i ruses
These warn ing messages, wh ich can be p ropag a ted rap id ly , s ta t ing tha t ace r ta in ema i l
message shou ld no t be opened , and tha t do ing so wo u ld damage one 's sys tem
In some cases , these warn ing messages them se lves con ta in v irus a t tachm ents
These possess the capab i l it y o f vas t des t ruc t ion on ta rge t sys tems
Many hoaxes t r y to "se l l " th ings tha t a re techn ica l l y nonsense . Never the less , the hoaxer has to
be som ew hat o f an expe r t to sp read hoaxes in o rde r to avo id be ing iden t i f i ed and caugh t .
There fo re , i t i s a good p rac t i ce to l ook fo r techn ica l de ta i l s abou t how to become in fec ted . A lso
search fo r i n fo rmat ion in the w i ld to l ea rn more abou t the hoax , espec ia l l y by scann ing bu l l e t i n
boards where peop le ac t i ve l y d i scuss cu r ren t happen ings in the commun i ty .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1027
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
23/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Try to c rosscheck the iden t i t y o f the pe rson who has pos ted the warn ing . A lso look fo r m ore
i n fo r ma t i o n a b o u t t h e h o a x /w a r n i n g f r o m se co n d a ry so ur ces . B e fo re j u mp i n g t o co n c l u s io n s b y
r e a d in g ce r t a in d o cu m e n ts o n t h e I n te r n e t , ch eck t h e f o l l o w i n g :
Q I f i t is pos ted by newsgroup s tha t a re susp ic ious , c rosscheck the in fo rm at ion w i th
a n o th e r so u rce
I f the pe rson wh o has pos ted the news is no t a know n person in the co m m un i ty o r an
e xp e r t, c r o ssch e ck t h e i n fo r m a t i o n w i t h a n o th e r so u rce
0 I f a gov ernm en t body has pos ted the news, the pos t ing shou ld a lso have a re fe rence to
th e co r r e sp o n d i n g f e d e r a l r e g u l a t i o n
Q One o f the mos t e f fec t i ve checks is to l ook up the suspected hoax v i rus by name on
an t i v i rus so f tware vendor s i tes
Q I f the pos t ing is techn ica l , hun t fo r s i tes tha t wou ld ca te r to the techn ica l i t i es , and t r y to
a u t h e n t i c a t e t h e i n f o rm a t i o n
Subject : FORWARD THIS WARNI NG AM ONG FRIENDS, FAMILY AND CONTACTS
PLEASE FORWARD THIS WARNI NG AMO NG FRIENDS, FAMILY AND CONTACTSI You sho uld be aler t duri ng
the next f ew days. Do not ope n any message with an at tachm ent enti tled 'POSTCARD FROM BEJING or
'RESIGNATION OF 8ARACK OBAMA , regardless of wh o sent it t o you. It is a virus that opens A
POSTCARD IMAGE, then 'burns' the whole hard C disc of your computer.
This is the worst virus announced by CNN last evening. It has been classified by Microsoft as the most
destruct ive virus ever. The virus was discovered by McAf ee yesterday, and there is no repair yet f or this
kind of virus.
This virus simply destroys the Zero Sector of t he Hard Disc, where the vital informat ion is kept.
COPY THIS E MAIL, A ND SEND IT TO YOUR FRIENDS.REMEMBER: IF YOU SEND IT TO THEM, YOU WILL
BENEFIT ALL OF US.
End-of-mail
Thanks.
FIGURE 7.3: Hoaxes Warning Message
F a k e A n t i v i r u s e s
Fake ant iv i ruses is a method of a f fect ing a system by hackers and i t can po ison your
sys tem and ou tb re ak the reg is t r y and sys tem f il es to a l l ow the a t tacke r to take fu l l con t ro l and
access to yo ur com pute r . I t appears and p er fo rm s s imi la r l y to a rea l an t i v i rus p rog ra m.
Fake an t i v i rus p rog rams f i r s t appear on d i f fe ren t b rowsers and warn users tha t they have
d i f fe re n t sec ur i ty th rea ts on th e i r sys tem, and th i s message i s backed up by rea l susp ic ious
v i ruses . W hen the user t r i es to re m ove th e v i ruses , then th ey a re nav iga ted to an o the r page
where they need to buy o r subscr ibe to tha t an t i v i rus and p roceed to payment de ta i l s . These
fa ke a n t i v i ru s p r o g r a ms a re b e e n f a b r i ca te d i n su ch a wa y t h a t t h e y d r a w th e a t t e n t i o n o f th eunsuspect ing user i n to i ns ta l l i ng the so f tware .
Some o f the m ethod s used to ex tend the usage and ins ta l l a t i on o f fake an t i v i rus p rog ram s
include:
Ema i l and messag ing : A t tackers use spam ema i l and soc ia l ne tw ork in g messages to
sp read th i s type o f i n fec ted ema i l to use rs and p robe the user to open the a t tachments
fo r so f tware ins ta l l a t i on .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1028
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
24/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Q S ea rch e n g i n e o p t i m i za t io n : At tackers genera te pages re la ted to pub l i c o r cu r ren t
search te rms and p lan t them to appear as ex t rao rd ina ry and the la tes t i n search eng ine
resu l ts . The web pages show a le r ts abou t i n fec t ion tha t encourage the user to buy the
fake ant iv i rus.
Q C o m p r o m i s e d w e b s i t e s : At tackers secre t l y b reak in to popu la r s i tes to i ns ta l l the fakean t i v i ruses , wh ich can be used to en t i ce users to down load the fake an t i v i rus by re l y ing
on the s i te ' s popu la r i t y .
J
a
Protection
a -wacy
I IPa th C \wC C^S\ JNt5^c^UJr^4i fV*g0a572
Inlrctiom 35
SMtWIq 0, M'S( p0M
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
25/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Virus Analysis: DNSChanger CEH
J It acts as a bot and can be organized into a
BotNet and controlled from a remotelocation
J It spreads through emails, socialengineering tricks, and untrusteddownloads from the Internet
DNSChanger (Alureon) modifies the DNS
settings on the victim PC to divertInternet traffic to malicious websites inorder to generate fraudulent ad revenue,
sell fake services, or steal personalfinancial information
U H U
tJ DNSChanger has received significant
attention due to the large number ofaffected systems worldwide and the factthat as part of the BotNet takedown the FBI
took ownership of the rogue DNS servers toensure those affected did not immediatelylose the ability to resolve DNS names
$
< K >
DNSChanger malware achieves the DNS
redirection by modifying the followingregistry key settings against a interfacedevice such as network card
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\lnterfaces\%Random CLSID%NameServer
h ttp://www. totaldefense. com
Copyright by E&Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
V i r us A n a ly s is : D N S C h a n g e r
Source: h t t p : / / w w w . t o t a l d e f e n s e . c o m
DNSChanger (A lu reon) i s ma lware tha t sp reads th rough ema i l s , soc ia l eng ineer ing t r i cks , and
un t rus ted down loads f rom the In te rne t . I t ac ts as a bo t and can be o rgan ized in to a bo tne t and
con t ro l l ed f rom a rem ote loca t ion . Th is ma lware ach ieves DNS red i re c t ion by mo d i fy ing the
sys tem reg is t ry key se t t i ngs aga ins t an in te r face dev ice such as ne tw or k ca rd .
DNSChanger has rece ived s ign i f i can t a t ten t ion due to the la rge number o f a f fec ted sys tems
wo r l d w i d e a n d t h e f a c t t h a t a s p a r t o f t h e b o tn e t t a ke d o w n , t h e FBI t o o k o w n e r sh i p o f r o g u e
DNS serve rs to ensure those a f fec ted d id no t immed ia te l y l ose the ab i l i t y to reso lve DNS
names. Th is can even mod i fy the DNS se t t i ngs on the v i c t im 's PC to d i ve r t In te rne t t ra f f i c to
ma l i c ious webs i tes in o rde r to genera te f raudu len t ad revenue , se l l fake se rv i ces , o r s tea l
pe rsona l f i nanc ia l i n fo rmat ion .
Ethical Hacking and Countermeasures C opyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1030
http://www.totaldefense.com/http://www.totaldefense.com/ -
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
26/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Virus Analysis: DNSChanger( C o n t d )
The rogue DNS servers can exist in any of the following ranges:
64.28.176.0 - 64.28.191.255, 67.210.0.0 - 67.210.15.255
77.67.83.0 - 77.67.83.255, 93.188.160.0 - 93.188.167.255
85.255.112.0 - 85.255.127.255, 213.109.64.0 - 213.109.79.255
DNSChangerL
DNSChanger sniffs thecredential and redirects the
request to real websiteReal Website
ww.xrecyritY-tP1
IP: 200.0.0.45
h ttp://www. tota !defense, com
Attacker runs DNS Server in
Russia (IP: 64.28.176.2)
DNSChanger infects victim's
computer by change her DNS IPaddress to: 64.28.176.2
Copyright by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
tout V i r u s A n a l y s is : D N S C h a n g e r ( C o n t d)
Source: h t t p : / / w w w . t o t a l d e f e n s e . c o m
The rogu e DNS servers can exist in any of the fo l low ing ranges:
67.210.15.25567.210.0.0,64.28.191.255-64.28.176.0
93.188.167.255-93.188.160.0,77.67.83.255-77.67.83.0
213.109.79.255-213.109.64.0,85.255.127.255-85.255.112.0
Ethical Hacking and Countermeasures C opyright by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1031
http://www.totaldefense.com/http://www.totaldefense.com/ -
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
27/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Whal is the IP
address of
ww w. *security. corn
Real WebsitewvAv.xsecuritv.com
IP: 200.0.0.45
DNSChanger sniffs the
credential and redirects the
request to real website
Fake WebsiteIP: 65.0.0.2
>
DNS Request doto 64.28.176.2
>
Attacker runs DNS Server in
Russia (IP: 64.28.176.2)
DNSChanger infects victim's
computer by change her DNS IP
address to: 64.28.176.2
FIGURE 7.5: Virus Analysis Using DNSChanger
To in fect the sy stem and stea l credent ia ls, th e at ta cke r has to f i rs t run DNS server . Here the
at tacker runs h is or her DNSserver in Russia wi th an IP of , say, 64.28.176.2. Next , the at tacker
in fec ts the v i c t im 's compute r by chang ing h i s o r he r DNS IP address to : 64 .28 .176 .2 . When th i s
ma lware has in fec ted the sys tem, i t en t i re l y changes the DNS se tt i ngs o f the in fec ted mach ine
and fo rces a l l the DNS request to go to the DNSserve r run by the a t tacker . A f te r a l te r ing the
se t t i ng o f the DNS, any request tha t i s made by the sys tem is sen t to the ma l i c ious DNS serve r.
Here , the v i c t im sen t DNS Request wh a t i s t h e IP a d d r e ss o f www.xse cu r i t y . co m to(64.28.176.2) . The at tacker gave a response to the request as w w w . x s e c u r i t v . c o m . which is
loca ted a t 65 .0 .0 .2 . Wh en v i c t im 's b row ser connects to 65 .0 .0 .2 , i t red i rec ts h im o r he r to a fake
web s i te c rea ted by the a t tacker w i th IP: 65 .0 .0 .2. DNSChanger sn i ff s the c red en t ia l (user name,
passwords) and red i rec ts the request to real webs i te (w w w . x s e c u r i t y . c o m ) with IP: 200.0.0.45.
Mo dule 07 Page 1032 Ethical Hacking and Coun termea sures Copyright by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
http://www.xsecuritv.com/http://www.xsecurity.com/http://www.xsecurity.com/http://www.xsecuritv.com/ -
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
28/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
CEHM odule Flow
Copyright by E&Caincil. All Rights Reserved. Reproduction is Strictly Prohibited.
= || M o d u le F lo w
Pr io r to th i s , we have d iscussed abo u t v i ruses and worm s. Now we w i l l d iscuss abou t
d i f fe re n t types o f v iruses .
V ir u s a n d W o r m s C o n c e p t X M a l w a r e A n al y si s
i C Types o f V i ruses C o u n t e r m e a s u r e s
y C o m p u t e r W o r m s
v^ ) P e n e t r a t i o n Te s t in g
Th is sec t ion descr ibes ab ou t d i f fe re n t types o f V iruses .
Comput e r
Worms
Ma lware
A nal ys is
V i rus and Worms
Concep t s
Penet ra t ion
Test ing
Counter
measures
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1033
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
29/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
MetamorphicPolymorphicEncryption
SparseInfectorVirus
Cluster
Viruses
Direct Action
or Transient
Stealth Virus/
TunnelingVirus
System orBoot Sector
Viruses
Multipartite
T y p e s o f V i ru s e s
So fa r , we have d iscussed va r ious v i rus and worm concep ts . Now we w i l l d i scussvar ious types o f v i ruses .
Th is sec t ion h igh l i gh ts va r ious types o f v iruses and worm s such as fi l e and m u l t i pa r t i te v i ruses ,
macro v i ruses , c lus te r v i ruses , s tea l th / tunne l ing v i ruses , encryp t ion v i ruses , me tamorph ic
v i ruses , she l l v i ruses , and so on . Compute r v i ruses a re the ma l i c ious so f tware p rograms wr i t ten
b y a tt a cke rs t o i n te n t i o n a l l y e n te r th e t a r g e te d sys te m w i t h o u t t h e u se r ' s p e r m i ss i o n . As a
r e su l t, t h e y a f f e c t t h e se cu r i t y sys tem a n d p e r fo r ma n ce o f t h e ma ch i n e . A f e w o f th e mo s t
common types o f compute r v i ruses tha t adverse ly a f fec t secur i ty sys tems a re d i scussed in
de ta i l on the fo l l ow ing s li des.
T y p e s o f V i ru s e sVi ruses a re c lass if i ed d epen d ing on tw o ca tegor ies :
Q W ha t Do They In fec t?
How Do They In fect?
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1034
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
30/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
What Do They Infect?
System or Boot Sector Viruses
f*. _ The most com m on ta rge ts fo r a v i rus a re the sys tem sec tors , wh ich a re no th ing bu t
the Maste r Boo t Record and the DOS Boo t Record Sys tem sec to rs . These a re the a reas on the
disk that are executed when the PC is booted. Every d isk has a system sector o f some sor t . They
spec ia ll y i n fec t the f l o pp y bo o t sec to rs and records o f the ha rd d isk . Fo r examp le : D isk K il le r
and Stone v i rus.
File Viruses
Executab le f i les are in fected by f i le v i ruses, as they inser t the i r code in to the or ig ina l
f i l e and ge t execu ted . F i l e v i ruses a re la rge r i n number , bu t they a re no t the most common ly
fou nd . They in fec t in a va r ie ty o f ways and can be fou nd in a large num be r o f f i le types.
M ultipart i te Virus
They in fec t p rog ram f i les , and th is f i le i n tu rn a f fec ts the bo o t sec to rs such as Invader ,Fl ip, and Tequi la.
C luster Viruses
Clus te r v i ruses in fec t f i les w i th ou t chang ing the f i l e o r p lan t ing ex t ra f i les ; they change
the DOS d i rec to ry i n fo rm at ion so tha t en t r i es po in t to the v i rus code ins tead o f the ac tua l
p r o g r a m.
M acro Virus
M i c r o s o f t W o r d o r a s i m i la r a p p li ca t io n ca n b e i nfe c te d t h r o u g h a co m p u te r v ir u s
ca lled a macro v i rus , wh ich au tom at i ca l l y pe r fo rms a sequence o f ac t ions when th e
app l i ca t ion i s t r i ggere d o r so me th ing e lse . Macro v i ruses a re som ew hat l ess ha rmfu l than o the r
types. They are usual ly spread v ia an emai l .
How Do They Infect?
Stealth V iruses These v i ruses t r y to h ide thems e lves f rom an t i v i rus p rog rams by ac t i ve l y a l te r ing andcor rup t ing the chosen se rv i ce ca l l i n te r rup ts when they a re be ing run . Requests to pe r fo rm
operat ions in respect to these serv ice ca l l in ter rupts are rep laced by v i rus code. These v i ruses
s ta te fa l se in fo rmat ion to h ide the i r p resence f rom an t i v i rus p rog rams. For examp le , the s tea l th
v i rus h ides the opera t ions tha t i t mod i f i ed and g ives fa l se rep resen ta t ions . Thus , i t takes overpor t i ons o f the ta rge t sys tem and h ides i ts v i rus code .
Life: Tu nneling VirusesTh ese v ir u se s t ra ce t h e s tep s o f i n t e r ce p to r p r o g r a ms th a t m o n i t o r o p e r a t i n g sys te m
requests so tha t they ge t i n to B IOS and DOS to ins ta ll themse lves . To pe r fo rm th i s ac t i v it y , they
e ven t u n n e l u n d e r a n t i v ir u s so f twa r e p r o gr a ms .
Mo dule 07 Page 1035 Ethical Hacking and Coun termea sures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
31/106
Ethical Hacking and Counterm easures Exam 312-50 Certified Ethical HackerViruses and Worm s
\Enc ryption V iruses
c _ Th is type o f v i rus cons is ts o f an enc ryp te d copy o f the v i rus and a decry p t ion m odu le .
Th e d e c r yp t i n g mo d u l e r e ma i n s co n s ta n t , wh e r e a s t h e d i f f e r e n t keys ar e u se d f o r e n c r yp t i o n .
Polymorphic Virusesiri), These v i ruses were deve loped to con fuse an t i v i rus p rog rams tha t scan fo r v i ruses in
the sys tem. I t i s d i f f i cu l t to t race them, s ince they change the i r charac te r i s t i cs each t ime they
in fec t , e .g ., eve ry copy o f th i s v i rus d i f fe rs f rom i ts p rev ious one . V i rus d eve lop ers have even
c r e a te d m e ta m o r p h i c e n g i ne s a n d v ir u s w r i t i n g t o o l k i ts t h a t m a ke t h e co d e o f an e x i s ti n g v i ru s
look d i f fe ren t f rom o the rs o f i t s k ind .
M etamo rphic Viruses
A code tha t can rep rogram i tse l f i s ca l l ed metamorph ic code . Th is code i s t rans la ted
i n to t h e t e m p o r a r y co d e , an d t h e n co n ve r te d b a ck t o t h e n o r ma l co de . Thi s t e ch n i q u e , i n wh ich
the o r ig ina l a lgo r i thm rema ins in tac t , is used to avo id pa t te rn recogn i t i on o f an t iv i rus so f tware .
Th is is mo re e f fec t i ve in com par i son to po lym orp h ic code . Th is type o f v i rus cons is ts o f com p lex
extensive code.
O verw riting File or Cavity V iruses
Some p rogram f i les have a reas o f em pty space . Th is em pty space is the ma in ta rg e t o f
these v i ruses. The Cavi ty V i rus, a lso known as the Space Fi l le r V i rus, stores i ts code in th is
empty space . The v i rus ins ta l l s i t se l f i n th i s unoccup ied space w i thou t any des t ruc t ion to the
or ig ina l code. I t insta l ls i tse l f in the f i le i t a t tempts to in fect .
Sparse Infector VirusesA sparse in fec to r v irus in fec ts on ly occas iona l l y (e .g ., eve ry ten th p rog ram execu ted)a
or on ly f il es whose leng ths fal l w i th in a na r row range .
Com panion Viruses
The comp an ion v i rus s to res it se l f by hav ing the ide n t i ca l f i l ena m e as the ta rge ted
program f i le . As soon as tha t f i le is exec u ted , the v i rus in fec ts the com pute r , and ha rd d i sk da ta
is modi f ied.
^ Cam ouf lage Viruses
W -------- They d isguise them selve s as genu ine appl icat ions of the user . These v i ruses are not
d i f f i cu l t to f i nd s ince an t i v i rus p rog rams have advanced to the po in t where such v i ruses a re
easi ly t raced .
Shell Viruses
_____ Th is v i rus code fo rms a laye r a round the ta rge t hos t p rog ra m's code tha t can be
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1036
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
32/106
Ethical Hacking and Counterm easures Exam 312-50 Certified Ethical HackerViruses and Worm s
co mp a r e d t o a n "e g g sh e l l / m ak ing i t se l f the o r ig ina l p rog ra m and the h os t code it s sub-rou t ine . Here, the o r ig ina l code i s mov ed to a new loca t ion by the v i rus code and the v i rus
assumes i ts i den t i t y .
File Extension VirusesF .
File ex ten sion v i ruses change th e e xtension s o f f iles; .TXT is safe, as i t ind icates a pure
tex t fi l e. I f you r com pute r ' s f i l e ex tens ion s v iew is tu rn ed o f f and some one sends you a f i le
named BAD.TXT.VBS, you wi l l see on ly BAD.TXT.
>' f| Add -on V iruses
M ost v i ruses are add-on v i ruses . Th is type o f v irus appends i ts code to the beg inn ing
o f the hos t code w i th ou t mak ing any changes to the la t te r . Thus, the v irus co r rup ts the s ta r tup
in fo rm at ion o f the h os t code , and p laces i t se lf in i ts p lace , bu t i t does no t touc h the hos t code .
However , the v i rus code i s execu ted be fo re the hos t code . The on ly i nd ica t ion tha t the f i l e i s
co rrup ted is th at the s ize of the f i le has increased.
Intrusive V iruses
Th is f o r m o f v i ru s o ve r wr i t e s it s co d e e i t h e r by co m p l e te l y re mo v i n g t h e t a r g e t h os t 'sp rogram code , o r somet imes i t on ly ove rwr i tes pa r t o f i t . There fo re , the o r ig ina l code i s no t
execu ted p roper l y .
Direct Action or T ransient V iruses
Trans fe rs a l l con t ro l s to the hos t code where i t res ides , se lec ts the ta rge t p rog ram to
be mod i f i ed , and co r rup ts i t .
= T erm inate an d Stay R esiden t V iruses (TSRs)
ffr A TSR v i rus rema ins pe rm ane n t l y i n m em ory du r ing the en t i re w ork sess ion , even
a f te r the ta rg e t hos t p rog ram is execu ted and te rmina ted . I t can be remo ved on ly by rebo o t in g
the sys tem.
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1037
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
33/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
System or Boot Sector Viruses CEH
Execut ion
When system boots, virus
code is executed first and then
control is passed to original
MBR
o
Before Infect ion
Boot Sector Virus
Boot sector virus moves MBR to
another location on the hard disk
and copies itself to the original
location of MBR
Af ter Infect ion
MBRVirus Code
Copyright by E&Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
S y s t e m o r B oo t S e c t o r V i r u s e s
System sec to r v iruses can be de f ined as those th a t a f fec t the ex ecu ta b le code o f the
d isk , ra the r than th e boo t sec to r v irus tha t a f fec ts the DOS boo t sec to r o f the d isk . Any sys tem
is d iv ided in to areas, ca l led sectors, where the programs are stored.
The two types o f sys tem sec to rs are :
Q M B R ( M a s te r B o o t Reco r d )
MBRs a re the m ost v i rus-p rone zones because i f the M B R i s cor rupted, a l l data wi l l be
lost.
0 DBR (DOS Bo ot Record )
The DOS bo ot sec tor is exec uted w he ne ve r the s ystem is boo ted . Th is is the crucia l
p o i n t o f a t t a ck f o r v i ru ses .
The sys tem sec to r cons is ts o f 512 by tes o f m em ory . Because o f th i s , sys tem sec to r v i ruses
concea l the i r code in some o the r d i sk space . The ma in ca r r ie r o f sys tem sec to r v i ruses i s the
f lop py d isk. These v i ruses genera l ly reside in the m em ory. T hey can a lso be caused by Tro jans.
Some sec to r v iruses al so sp read th roug h in fec ted f i les , and they a re ca l led m u l t i pa r t v i ruses .
m
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1038
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
34/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Virus Removal1
System sec to r v i ruses a re des igned to c rea te the i l l us ion tha t the re i s no v i rus on the
sys tem. One way to dea l w i th th i s v irus is to avo id the use o f the W ind ow s op era t ing
sys tem, and swi tch to L inux o r Macs , because Windows i s more p rone to these a t tacks . L inux
and Mac in tosh have a bu i l t - i n sa feguard to p ro tec t aga ins t these v i ruses . The o the r way i s to
carry out ant iv i rus checks on a per iod ic basis.
Before Infection
After Infect ion
V
G
OVirus Code
FIGURE 7.6: System or Boot Sector Viruses
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1039
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
35/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
File and Multipartite Viruses CEH
F i le a n d M u l t ip a r t i t e V i r u s e s
File VirusesFi le v i ruses in fect f i les that are executed or in terpreted in the system such as COM, EXE,
SYS, OVL, OBJ, PRG, MN U, and BAT f i les. Fi le viruses can be ei t he r dir ec t-a ct ion (no n-re sid en t)
o r memory- res iden t . Overwr i t i ng v i ruses cause i r reve rs ib le damage to the f i l es . These v i ruses
ma in ly ta rge t a range o f op era t ing sys tem s tha t i nc lude Window s, UNIX, DOS, and M ac in tosh .
C harac terizing File Viruses
Fi le v i ruses are main ly character ized and descr ibed based on the i r physica l behavior or
character is t ics. To c lassify a f i le v i rus is by the typ e of f i le targ ete d by i t , such as EXE or COM
fi les, the b oo t sector , e tc. A f i le v i rus can also be chara cter iz ed based on how i t in fects the
targeted f i le (a lso known as the host f i les) :
Q P r e p e n d i n g : wr i tes i t se l f i n to the beg inn ing o f the hos t f i l e 's code
Q A p p en d in g : wr i tes i t se l f to the end o f the hos t fi l e
O ve r w r i t i n g : overwr i tes the hos t f i l e ' s code w i th i t s own code
Q Inse r t i ng : inser ts i tse l f in to gaps ins ide the host f i le 's code
Module 07 Page 1040 Ethical Hacking and Coun termea sures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
36/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Co m p a n i o n : renames the o r ig ina l f i le and wr i tes i t se l f w i th the hos t f il e 's nam e
Cav i ty i n fec to r : wr i tes i t se l f be tw een f i le sec t ions o f 32 -b i t fi l e
F il e v i ruses a re a lso class i fi ed based on wh e th er they a re no n-m em ory res iden t o r m em ory
res iden t . Non-memory res iden t v i ruses search fo r EXE f i l es on a ha rd d r i ve and then in fec t
them, whereas memory res iden t v i ruses s tays ac t i ve l y i n memory , and t rap one o r more sys temfunc t ions . F i l e v i ruses a re sa id to be po lymorph ic , encryp ted , o r non-encryp ted . A po lymorph ic
o r encryp ted v i rus con ta ins one o r more decryp to rs and a ma in code . Ma in v i rus code i s
decryp te d by the dec ryp to r be fo re i t s ta rts . An encryp ted v i rus usua l l y uses va r iab le o r f i xed -
ke y d e c r yp to r s , wh e r e a s p o l ymo r p h i c v i r u se s h a ve d e c r yp to r s t h a t a r e r a n d o ml y g e n e r a te d
f rom ins t ruc t ions o f p rocessors and tha t cons ist o f a l o t o f comm ands th a t a re no t used in the
d e c r yp t i o n p ro cess .
Execu t ion o f Pay load :
Di rec t ac t ion : Imm ed ia te l y upon execu t ion
T ime bom b: A f te r a spec i f ied pe r iod o f t ime
Cond i t i on t r i ggered : On ly unde r ce r ta in cond i t i ons
Q M ultipartite Viruses
A m u l t i p a r t i t e v i r us i s a lso kn o wn as a m u l t i - p a r t v i ru s t h a t a t t e mp ts t o a t t a ck b o th
the boo t sec to r and the e xecu tab le o r p rog ra m f i l es a t the same t im e . W hen rgw v i rus i s
a t tached to the boo t sec to r , i t w i l l i n tu rn a f fec t the sys tem f i l es , and then the v i rus a t taches to
the f i les , and th i s t ime i t w i ll i n tu rn in fec t the b oo t sec to r .
FIGURE 7.7: File and Multipartite Viruses
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1041
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
37/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
M a c r o V i r u s e s CEHUrt1fw4 ilhiul lUtbM
0
11.
Infects Macro Enabled Documents
0
0UserAttacker0
0 Macro viruses infect
templates or convert
infected documents
into template files,while maintainingtheir
appearance of ordinary
documentfiles
V
0 0
0 0
r
0 Most macro viruses are
written using macro
language Visual Basic
for Applications (VBA)
r0 0
Copyright by EC-CaIllic it Al 1Rights Reserved. Reproduction is Strictly Prohibited.
M a c r o V i ru s e s
Mi c r o s o f t Wo r d o r s i m il a r a p pl i ca t i o n s ca n b e in fe c te d t h r o u g h a co m p u te r v i r u s
ca lled macro v i rus , wh ich a u tom at i ca l l y p e r fo rm s a sequence o f ac t ions whe n the app l i ca t ion i s
t r i ggered o r someth ing e l se . Most macro v i ruses a re wr i t ten us ing the macro language V isua l
B as ic f o r A p p l i ca t i o n s ( V B A ) a nd t h e y i n fe c t t e m p l a te s o r co n ve r t i n f e c te d d o cu m e n ts i n to
te m p l a te f i le s , wh i l e m a i n ta i n in g t h e i r a p p e a r an ce o f o r d i n a r y d o cu me n t f il es . M a c r o v i r u se s
are some wh at l ess ha rm fu l than o th e r types . They a re usua l l y sp read v ia an ema i l . Pu re da ta
f i les do no t a l l ow the sp read o f v i ruses , bu t som et imes the l ine be tw een a da ta f il e and an
execu tab le f i l e i s eas i l y ove r looked by the average user due to the ex tens ive macro languages
in some programs. In most cases, just to make th ings easy for users, the l ine between a data f i le
and a p rog ram s ta r ts to b lu r on ly i n cases where th e d e fau l t macros a re se t to run au tom at i ca l l y
every t im e the da ta f il e is l oaded . V i rus wr i te rs can exp lo i t com m on p rograms w i th m acro
capab i l i t y such as Mic roso f t Word , Exce l , and o the r O f f i ce p rog rams. Windows He lp f i l es cana lso con ta in macrocode . In add i t i on , the la tes t exp lo i ted macrocode ex is ts i n the fu l l ve rs ion o f
the A croba t p rog ram tha t reads and wr i te s PDF f il es.
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1042
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
38/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Infects Macro Enabled Documents
Attacker User
FIGURE 7.8: Macro Viruses
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1043
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
39/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
C EHC lu s t e r V ir u s e s
Cluster V i ruses aI:
: * ]J Cluster viruses modify directory table entries so that it
points users or system processes to the virus code instead
of the actual program
Vi rus Copy
J There is only one copy of the virus on the disk infecting
all the programs in the computer system
Launch I t se l f
J It will launch itself first when any program on the
computer system is started and then the control is
passed to actual program
Copyright by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited
C l u s t e r V ir u s e s
Clus te r v i ruses in fec t f i les w i th ou t chang ing the f i l e o r p lan t ing ex t ra f i l es they changethe DOS d i rec to ry i n fo rm at ion so tha t en t r i es po in t to the v i rus code ins tead o f the ac tua l
p rog ram. When a p rog ram runs DOS, i t f i r s t l oads and execu tes the v i rus code , and then the
vi rus locates the actua l prog ram and execute s i t. Di r -2 is an exam ple o f th is type of v i rus.
C lus te r v i ruses mod i fy d i rec to ry tab le en t r i es so tha t d i rec to ry en t r i es po in t to the v i rus code .
There i s on ly one copy o f the v i rus on the d i sk in fec t ing a ll the p rog ram s in the c om pu te r
sys tem. I t w i l l l aunch i t se l f f i r s t when any p rogram on the com pu te r sys tem i s s ta r ted and then
the c on t ro l is passed to the ac tua l p rog ram.
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1044
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
40/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
S t e a l t h / T u n n e l in g V ir u s e s CEH
These viruses evade the anti-virus software by intercepting its requests
to the operating system
A virus can hide itself by intercepting the anti-virus software's request to
read the file and passingthe request to the virus, instead of the OS
The virus can then return an uninfected version of the file to the anti-
virus software, so that it appears as if the file is "clean"
i fHides InfectedTCPIP.SYS
Here you go
Original TCPIP.SYS
Copyright by EC-Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
S t e a l th / T u n n e l in g V i r u se s
I S teal th V iruse s
These v i ruses t r y to h ide themse lves f ro m an t i v i ru s p rog ram s by ac t i ve ly a l te r ing and
cor rup t ing the chosen se rv i ce ca l l i n te r rup ts when they a re be ing run . Requests to pe r fo rm
operat ions in respect to these serv ice ca l l in ter rupts are rep laced by v i rus code. These v i ruses
s ta te fa l se in fo rmat ion to h ide the i r p resence f rom an t i v i rus p rog rams. For examp le , the s tea l th
v i rus h ides the opera t ions tha t i t mod i f i ed and g ives fa l se rep resen ta t ions . Thus , i t takes over
por t i ons o f the ta rg e t sys tem and h ides i ts v i rus code .
The s tea l th v i rus h ides i t se l f f rom an t i v i ru s s o f twa re by h id ing the o r ig ina l s ize o f the f i l e o r
tem po ra r i l y p lac ing a copy o f i t se l f i n some o the r d r i ve o f the sys tem, thus rep lac ing the
in fec ted f i l e w i th the un in fec te d f i l e tha t i s s to red on the ha rd d r ive .
A s tea l th v i rus h ides the m od i f i ca t ions th a t i t makes. I t takes con t ro l o f the sys tem 's func t ions
tha t read f i l es o r sys tem sec to rs and , when ano ther p rog ram requests i n fo rmat ion tha t has
a l re a d y b e e n mo d i f ie d b y t h e v i ru s , th e s te a l t h v i r u s r e p o r t s t h a t i n f o r m a t i o n t o t h e r e q u e s t in g
program ins tead. Th is v i rus a l so resides in the me mo ry .
To avo id de tec t ion , these v i ruses a lways take over sys tem func t ions and use them to h ide the i r
presence.
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1045
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
41/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
One o f the ca r r ie rs o f the s tea l th v i rus i s the roo tk i t . Ins ta ll i ng a roo tk i t gen era l l y resu lts i n th i s
v i rus a t tack because rootk i ts are insta l led v ia Tro jans, and thus are capable o f h id ing any
ma l wa r e .
Re mo va l :
Q A lways do a co ld boo t (boo t f rom wr i te -p ro tec ted f l op py d isk o r CD)
Neve r use DOS com m an ds such as FDISK to f ix the v i rus
Use an t i v i rus so f tw are
Tunneling Viruses
e
/
Th e se v i r u se s t r a ce t h e s te p s o f i n t e r ce p to r p r o g r a ms th a t mo n i t o r o p e r a t i n g sys te m
requests so tha t they ge t i n to B IOS and DOS to ins ta ll themse lves . To pe r fo rm th i s ac t iv i t y , they
e ven t u n n e l u n d e r a n t i v i r u s so f twa r e p r o g ra ms .
*Hides Infected
TCPIP.SYS
Give me the system filetcpip.syi to icon
VIRUS
Anti-virus
Software
Here you go
Original TCPIP.SYS
FIGURE 7.9: Working of Stealth/Tunneling Viruses
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1046
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
42/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
E n c r y p t io n V i r u s e s CEH
Virus Code
V
Encryption
Virus 3
Encryption
Virus 2
This type of virus uses simpleencryption to encipher the code
- /
AVscanner cannot directlydetect these types ofviruses using signaturedetection methods
r
The virus is encrypted witha different key for eachinfected file
V.
Copyright by E&Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
E n c r y p t io n V i ru s e s
Th is type o f v irus cons is ts o f an enc ryp te d c opy o f the v i rus and a dec ryp t ion mod u le .
The decryp t ing modu le rema ins cons tan t , whereas the d i f fe ren t keys a re used fo r encryp t ion .
These v i ruses genera l l y emp lo y XOR on each by te w i th a random ized key.
The v i rus is enc iphered w i th an encry p t ion key tha t cons ists o f a decry p t ion m odu le and
an encryp ted c opy o f the code .
For each in fected f i le , the v i rus is encrypted by using a d i f ferent combinat ion of keys,
b u t t h e d e c r yp t i n g m o d u l e p a r t r e ma i n s u n ch a n g e d .
I t i s no t poss ib le fo r the v i rus scanner to d i rec t l y de tec t the v i rus by means o f
s i g n a tu r e s , b u t t h e d e c r y p t i n g m o d u l e can b e d e te c te d .
The decryp t ion te chn iq ue e mp loyed is x o r each by te w i th a rand om ized key tha t is
genera ted and saved by the ro o t v i rus .
Q
e
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1047
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
43/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
Virus Code
Encryption
Virus B
Encryption
Virus 2
Encryption
Virus 1
FIGURE 7.10: Working of Encryption Viruses
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1048
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
44/106
Ethical Hacking and Counterm easures Exam 312-50 Certified Ethical HackerViruses and Worm s
CEHP o l y m o r p h i c C o d e
J Polymorphic code is a code that mutates while keeping the original algorithm intact
J To enable polymorphic code, the virus has to have a polymorphic engine (also called
mutating engine or mutation engine
J A well-written polymorphic virus therefore has no parts that stay the same on each
infection
3 9 -Encrypted Mutation
Engine
Encrypted Virus ............
Code Decryptor
routine decrypts
virus code and
Decryptor Routine mutation engine
New Polymorphic
Virus
RAMUser Runs anInfected Program
Copyright by E&Cauactl.All Rights Reserved. Reproduction is Strictly Prohibited.
P o l y m o r p h i c C o d e
Po lymorph ic v i ruses mod i fy the i r code fo r each rep l i ca t ion in o rde r to avo id de tec t ion .
They accomp l i sh th i s by chang ing the encryp t ion modu le and the ins t ruc t ion sequence . A
r a n d o m n u m b e r g e n e r a to r is u se d fo r i m p l e m e n t i n g p o l y m o r p h i s m .
A muta t ion eng ine i s genera l l y used to enab le po lymorph ic code . The muta to r p rov ides a
sequence o f i ns t ruc t ions tha t a v i rus scanner can use to op t im ize an appropr ia te de tec t ion
a lgo r i thm. S low po lymorph ic codes a re used to p reven t an t i v i rus p ro fess iona ls f rom access ing
the codes.
Vi rus samples, which are ba i t f i les a f ter a s ing le execut ion is in fected, conta in a s imi lar copy of
the v i rus . A s imp le in teg r i ty checker is used to de tec t th e p resence o f a po ly mo rph ic v i rus in the
system's d isk.
Ethical Hacking and Countermeasures C opyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 07 Page 1049
-
7/22/2019 CEHv8 Module 07 Viruses and Worms.pdf
45/106
Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresViruses and Worm s
New Polymorphic
Virus
Encrypted Mutation
Engine (EME)
A A0 Instruct toAInstruct to
Decryptor
routine decrypts
virus code and
mutation engine
Virus Does the Damage
RAM
ncrypted M utation
Engine
j Encry
Encrypted Virus
Code
i I
iDecryptor RoutineI
*User Runs an
Infected Program
FIGURE 7.11: How Polymorphic Code Work
P o l ymo r p h i c v i ru se s co ns i st o f t h r e e co mp o n e n ts . Th e y a r e t h e e n c r yp te d v i r u s co d e , t h e
d e c r yp to r r o u t i n e , a n d t h e m u ta t i o n e n g in e . The f u n c t i o n o f th e d e c r yp to r r o u t i n e i s t o d e c r yp t
t h e v i r u s cod e . I t d e c ryp t s t h e co d e o n l y a f t e r ta k i n g co n t r o l o ve r t h e co mp u te r . Th e m u ta t i o n
eng ine genera tes randomized decry p t ion rou t ines . Th is decryp t ion rou t ines va ries every t im e
wh en a new p rogram is i n fec ted by the v i rus .
Wi th a po lymorph ic v i rus , bo th the muta t ion eng ine and the v i rus code a re encryp ted . When a
program tha t i s i n fec ted w i th a po lym orph ic v irus is run by the user , the d ecry p to r rou t ine takes
co mp l e te co n t r o l o ve r t h e sys te m, a f t e r wh i ch i t d e c ryp t s t h e v i ru s co d e a n d t h e m u ta t i o n
eng ine. Next , the con t ro l